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Cloud & Virtualization 

■ Cloud & Virtualization 
Consultancy 

■ Building Virtualized 
Infrastructure 

■ Infrastructure on Public Cloud 

■ Building Private Cloud 

■ Cloud Management Setups 

■ Big Data Setups 

■ Infrastructure Management 
and Support 



Server Administration 

■ Server Setups 

■ Control Panels Setups 

■ Server/Network Monitoring 
Setups 

■ Site Migration 

■ Server Optimization 

■ Email Setups 

■ Version Control Setups 

■ Server Automation 

■ Server Management & Support 

■ Load Balancing, FailOver and 

■ Geo Distribution Solutions 

■ Storage Solutions 

■ Special Purpose Appliance 
Building 



Security & Compliance 

■ Server & Network Security 
Setups 

■ Security Testing, Audit and 
Compliance 

■ Incident Response 

■ Managed Security Service 




That's all you need for data recovery. 



Atola Technology offers Atola Insight - the only data recovery device that covers 
the entire data recovery process: in-depth HDD diagnostics, firmware recovery, 
HDD duplication, and file recovery. It is like a whole data recovery Lab in one Tool 

This product is the best choice for seasoned professionals as well as start-up data 
recovery companies. 



Emphasized features at a glance: 



• Automatic in-depth diagnostic of 



Case management 



all hard drive components 
• Automatic firmware recovery and 



* Firmware area backup system 

• Serial port and power control 
+ Write protection switch 



Real time current monitor 



ATA password removal 

• Very fast Imaging of damaged drives 

• Imaging by heads 



TECHNOLOGY 



Visit atola.com for details 



THE TOOLS 



How to use 

Socat and Wireshark 

for Practical SSL Protocol Reverse Engineering? 

Secure Socket Layer (SSL) Man-ln-the-Middle (MITM) proxies have 
two very specific purposes. The first is to allow a client with one set 
of keys to communicate with a service that has a different set of keys 
without either side knowing about it. This is typically seen as a MITM 
attack but can be used for productive ends as well. The second is 
to view the unencrypted data for security, educational, an reverse 
engineering purposes. 



For instance, a system administrator could 
set up a proxy to allow SSL clients that don't 
support more modern SSL methods or even 
SSL at all to get access to services securely. Typi- 
cally, this involves having the proxy set up behind 
your firewall so that unencrypted content stays 
within the confines of your local area. 

Being able to analyze the unencrypted data is 
very important to security auditors as well. A very 
large percentage of developers feel their services 
are adequately protected since SSL is being used 
between the client and the server. This includes 
the idea that if the SSL client is custom closed 
source software that the protocol will be unbreak- 
able and therefore immune to tampering. If you're 
investing your companies funds using a service 
that could easily be subject to tampering then you 
may end up with a nasty surprise. Lost funds per- 
haps or possibly having your account information 
publicly available. This article focuses on using an 
SSL MITM proxy to reverse engineer a simple web 
service. The purpose of doing so will be to create 
your own client that can interact with a database 
behind an unpublished API. The software used will 
be based on the popular open source software So- 
cat as well as the widely recognized Wireshark. 
Both are available on most operating systems. 

Lets get started! 

We will be reverse engineering a LiveJournal client 
called Logjam which supports SSL connections 



to the LiveJournal API servers. Since this article 
is purely educational we don't mind getting some 
experience using the LiveJournal API which al- 
ready public and Logjam which is a free and open 
source project. 

Prerequisites 

• Install Socat - Multipurpose relay for bidirec- 
tional data transfer: http://www.dest-unreach. 
org/socat/ 

• Install Wireshark - Network traffic analyzer: 
http://www. wireshark. org/ 

• Install OpenSSL - Secure Socket Layer (SSL) 
binary and related cryptographic tools: http:// 
www. openssl. org/ 

• Install TinyCA - Simple graphical program for 
certification authority management: http://ti- 
nyca. sm-zone.net/ 

• Install Logjam - Client for LiveJournal-based 
sites: http://andy-shev.github. com/LogJam/ 

Generating a false SSL certificate 
authority (CA) and server certificate 

The API domain name for LiveJournal is simply 
www.livejournal.com and any SSL compliant client 
software will require the server certificate to match 
the domain when it initially connects to the SSL 
port of the server. 

An SSL CA signs SSL certificates and is noth- 
ing more than a set of certificates files that can be 
used by tools like OpenSSL to sign newly gener- 
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ated certificates via a certificate signature request 
(CSR) key that is generated while creating new 
server certificates. The client simply needs to trust 
the certificate authority public key and subsequent- 
ly the client will trust all server certificates signed 
by the certificate authority private key. 

Generating a certificate authority 

Run tinyca2 for the first time and a certificate au- 
thority generation screen will appear to get you 
started (Figure 1). 

It doesn't matter what you put here if you don't 
plan on keeping this certificate authority information 
for very long. The target server at LiveJournal.com 
will never see the keys you are generating and they 
will stay completely isolated to your testing environ- 
ment. Be sure to remember the password since it 
will be required for signing keys later on. 

Select Export CA from the CA tab and save a 
PEM version of the public CA certificate to a new 
file of your choosing. 

Generating a server certificate 

Click on the Requests tab in TinyCA and then the 
New button that will help us create a new certificate 
signing request and private server key (Figure 2). 
The common name must be www.livejournal. 



com. The password can be anything and we will 
be removing it when we export the key for use. 


Name (for local storage): |sbyodynp 
Data for CA Certificate 


CurTirnon Name (1or lha CA}: 


foyudyiiu Piujjutaiuri Byblwins 


Country Mflmp (? IpHpt t nrfpj: 


UM 


Pas&word (needed for signing): 


**** 


Pa*i>wui J l qi rlii nidliou); 


**•* 


EitaTs or Prnvinrp NRfnp: 


( alifomiH 


Locality Name (ecj. city): 


San Nnrciso 


Organization Name (eq. company): 


Sbyodyne 


tlrnfiniratinnal Unit NRinft (pg. -"iprticvn): 


Infflfmatinn lprhnol n rjy 


vMdil Addrubb-; 


inlcUPJyoyodyn*? 


Valid for (Days): 




Keylength: 
Digtfft 


O LQ24 O^IMB © 

0 SHA lO MD2 0 M DC 2 O MD4 O MD5 O flJPEMD 160 


Figure 1 . TinyCA new certificate authority window 


CrttdLe a new Cm ttfkctlt? Ruuuuiit 


C.nrnmnn Nflm* (pg„ y-onr Name, 


™. liwijti i jrn a 1 .earn 


your eMail Address 
oi the Survurss Name] 




cMriI Adrirpss: 




Password (protect your private Key): 


«*** 


Password (< onfirmat ion): 


##•♦ 


Country Name (2 tetter code): 


US 


5 Idly or Piuviritti Nam*; 


California 


L at n\\ty Name ( pg . dry) : 




Organization Nome (eg, company): 


Wyodync 


Orq an national Unrt Name (eq. section): 


Information Technology 


ICeylength: 

[3igp.nl: 

Algorithm: 


O 4096 0 L02JI O 20^18 

© SHA 1 0 MD2 O MDC2 O MD4 O MD5 O PIPEMD 160 

® RSA O DSA 


<c5ok | 





Figure 2. TinyCA new certificate request window 



Under the Requests tab there is now a certifi- 
cate named www.livejournal.com that needs to be 
signed. Right click and select Sign Request and 
then Sign Request Server. Use the default values 
to sign the request. 

Now there will be a new key under the Key tab 
now. Right click on it and select Export Key and 
you'll be presented a new dialog (Figure 3). 

As seen in the figure you want to select PEM 
(Key) as well as Without Passphase (PEM/ 
PKCS#12) and Include Certificate (PEM). Doing 
so will export a PEM certificate file that contains 
a section for the certificate key as well as the cer- 
tificate itself. The PEM stanard allows us to store 
multiple keys in a single file. 

Congratulations, you now have a perfectly val- 
id key for https://www.livejournal.com as long as 
the web server running the site is under your own 
control and uses the server key you've generated. 
Trusting the key is the tricky part. 

Allow logjam to trust the certificate authority 

So we have to dig in a bit to understand what SSL 
Certificate trust database Logjam will be using. 
Most Linux based GTK and console programs rely 
on OpenSSL which has it's own certificate author- 
ity database that is very easy to add a new certifi- 
cate to. 

In Debian/GNU Linux the following will install 
your new Yoyodyne CA certificate system wide: 
Listing 1. 

Now Logjam as well as programs such as wget, 
w3m, and most scripting languages will trust all 
keys signed by your new CA. 

Using Socat to proxy the stream and 
hijacking your own DNS 

Socat is basically a swiss army knife for commu- 
nication streams. With it you can proxy between 
protocols. This includes becoming an SSL aware 
server and proxying streams as an SSL aware cli- 
ent to another SSL aware server 

Export Key to File 

F '' e: jMS flfllffiEnEEfiBKEv - Browse,., | 

Export Format: 
® PEM (Key) 

O DER (Key without Pas&phrase) 
O PICCS#12 (Certificate & Key) 
O Zip (Certificate & Key) 
O Tar (Certificate & Key) 
Without Passphrase (PEM/PKCS#12) 
® fes O No 

Include Certificate (PEM) 
® \fes O No 

^Save | Cancel | 

Figure 3. TinyCA private key export window 



www.hakin9.org/en 



Exploiting Software Is 



THE TOOLS 



Set up your system and start up socat 

Since we should aim for transparency we will need 
to intercept DNS requests for www.livejournal.com 
as well so that our locally operated proxy running 
on port 443 on ip 127 . 0 . 2 . 1 is in the loop. 

First, we will need to know the original IP of www. 
livejournal.com: 

spencersr@bigboote : ~$ nslookup www.livejournal.com 

8.8.8.8 
Server: 8.8.8.8 
Address: 8.8.8. 8#53 
Non-authoritative answer: 
Name: www.livejournal.com 
Address: 208.93.0.128 

Bingo! Now add the following line to /etc/hosts 
near the other IPv4 records: 



Listing 1. Install Yoyodyne CA certificate 



127.0.2.1 www.livejournal.com 

Now lets do a test run by listening on port 443 
(HTTPS) and forwarding to port 443 (HTTPS) of 
the real www.livejournal.com: 

spencersr@bigboote : ~$ sudo socat -vvv \ OPENSSL- 
LISTEN: 44 3, verif y=0 , fork, key=www. live journal . com- 
keyem, certif icate=www. livejournal . corn-key. pern, 
caf ile=Yoyodyne-cacert .pern \ 
OPENSSL : 208 . 93. 0.12 8:443, verif y=0 , fork 

Simple enough. Browsing to https://www.livejour- 
nal.com with w3m and wget should work sucess- 
fully now and a stream of random encrypted infor- 
mation will be printed by socat. 



spencersr@bigboote:~$ sudo mkdir / usr/ share/ ca-certificates/ custom 

spencersr@bigboote:~$ sudo cp Yoyodyne-cacert .pern \ / usr / share/ ca-certificates/ custom/ Yoyodyne- 

cacert. crt 
spencersr@bigboote:~$ sudo chmod a+rw \ 
I usr / share/ ca-certificates/ custom/ Yoyodyne-cacert . crt 

spencersr@bigboote:~$ sudo dpkg- reconfigure -plow ca-certificates -f readline \ ca-certificates 
configuration 



Trust new certificates from certificate authorities? 1 

This package installs common CA (Certificate Authority) certificates in / usr/ share/ ca-certificates . 
Please select the certificate authorities you trust so that their certificates are installed into 
I etc/ ssl/ certs . They will be compiled into a single / etc/ ssl/ certs/ ca-certificates . crt file. 



cacert . org/ cacert . org. crt 
custom/ Yoyodyne-cacert . crt 
debconf . org/ ca . crt 



150. moz ilia/ XRamp_Global_CA_Root . crt 
151 spi-inc.org/spi-ca-2003.crt 
152 . spi-inc. org/ spi-cacert-2008 . crt 

{Enter the items you want to select, separated by spaces.) 

Certificates to activate: 2 

Updating certificates in / etc/ ssl/ certs . . . 1 added, removed; done. 
Running hooks in / etc/ ca-certificates/ update . d. .. . 
Adding debian: Yoyodyne-cacert .pern 
done. 
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Chaining two socat instances together with 
an unencrypted session in the middle. 

So far so good! Now we need to have socat con- 
necting to another socat using standard TCP4 pro- 
tocol in order to view the unencrypted data. This 
works by having one socat instance listening on port 
443 (HTTPS) and then forwarding to another socat 
on port 8080 (HTTP) which then forwards on to port 
443 (HTTPS) of the real www.livejournal.com. 



Listing 2. Socat terminal 

> 2012/08/29 00:10:27.527184 length=209 

from= to=208 
POST /interface/ flat HTTP/l.l\r 
Host: www . live journal . com\r 
Content- Type: application/ x-www-form- 

urlencoded\r 
User-Agent: http://logjam.danga.com; martinet 

danga . com\r 
Connection: Keep-Alive\r 
Content- Length: 23\r 
\r 

> 2012/08/29 00:10:27 .566184 length=25 

from= to=231 
ver=l&mode=getchallenge< 2012/08/29 

00:10:29 .551570 length=437 
from= to=436 

HTTP/ 1.1 20 0K\r 

Server: GoatProxy 1.0 \r 

Date: Wed, 29 Aug 2012 08:10:56 GMT\r 

Content-Type: text/plain; charset=UTF- 8\r 

Connection: keep-alive\r 

X-AWS-Id: ws25\r 

Content-Length: \r 

Accept-Ranges: bytes\r 

X-Varnish: 904 353035 \r 

Age : 0\r 

X-VWS-Id: bill-varn21\r 
X-Gateway: bill- swlblO\r 
\r 

auth_scheme 
cO 

challenge 

cO: 134 6227200: 656: 60 : xxxxxx: xxxxxxxxxxxxx 
expire_time 

1346227916 

server_time 

1346227856 

success 

OK 
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Socat instance one: 

spencersr@bigboote : ~$ sudo socat -vvv \ 
OPENSSL-LISTEN:4 43, verify=0, fork, 
key=www. livejournal . corn-key . pern, certif icate= 
www. livejournal . corn-key . pern, caf ile=Yoyodyne- 

cacert.pem \ 
TCP4:10. 1.0. 1:8080, fork 

Socat instance two: 

spencersr@bigboote : ~$ sudo socat -vvv \ 
TCP-LISTEN:8080,fork \ 

OPENSSL : 208. 93. 0.12 8 : 4 43, verify=0, fork 

Load up Logjam and the socat instances will start 
printing out the stream to the terminal (Listing 2). 

Hurray! You should be dancing at this point. 

But wait, I mentioned using Wireshark before 
didn't I? 

Using Wireshark to capture and view the 
unencrypted stream. 

Now it's time for the easy part. I'm going to as- 
sume that you are comfortable capturing packets 
in Wireshark and focus mainly on the filtering of 

Capture 

Interface; lo (luopuatk) 



IP address: | 127 0 . 0 1 



Link-layer header type: Ethernet | Buffer sizcifl [T] megabytefsJ 

0 Capture packets in promiscuous mode 

□ Capture packets in monitor mode 

□ Limit each packet to 1-55535 fi] byte a 



jjjg Capture filter: port GOOO and host 127.0.2.1 - | Compile BPF j 



riBclp 



^Cancel <5oK 



Figure 4. Wireshark lo (loopback) interface capture window 
with capture filter 



the capture stream. 

Since by default Wireshark captures all traffic we 
should set up a capture filter that only listens for 
packets on port 8080 of host 127.0.2.1 (Figure 4). 

Once Logjam is run packet will start streaming in 
while Wireshark is recording (Figure 5). 

What now? 

This articles is about viewing unencrypted data in 
an SSL session. Whatever your reverse engineer- 
ing goal is SSL is less of an obstacle now. 

How can SSL be secure then if this method 
is so simple? 

SSL and all of the variations of digests and ciphers 
contained within it are pretty reliably secure. Some 
of the major areas this article focused on was the 
ability to fool a client by having the ability to trust a 
new certificate. 

If you are interested in securing your site or cli- 
ent software against this sort of spying I recom- 
mend not using an SSL certificate authority key- 
ring or trust database that is easily modified by the 
user. Including an SSL server certificate in client 
software ,encrypted and protected by a hard cod- 
ed key somewhere in the binary, and requiring it for 
use on SSL connections using a hardened socket 
library will dramatically cut down on the looky-loo 
factor. 

Conclusion 

Thanks to how simple it is to add certificate au- 
thorities to most browsers, mobile devices, and 
custom client software it's a trivial matter to pull 
back the curtain on SSL encrypted streams with 
the right tools. 

Remember to thank your open source hacker 
friends. 
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Figure 5. Wireshark with captured unencrypted packets 
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Reducing risk through technical excellence 

Technology alone cannot solve today's security challenges, but by 
applying the right mix of technology and services to solve even the 
most complex security challenges, we are able to reduce both cost 
and business risk. 

Infosec Technologies provides impartial advice and expert 
technical support that can help you secure your IT infrastructure 
and achieve your business goals. 

About Infosec Technologies: 

Infosec Technologies is a UK based, award winning supplier of information 
security solutions. We have delivered over five hundred projects in the last 
seven years and have partnerships with both established and new security 
vendors, 

We are dedicated to researching and testing new and innovative technologies 
to provide our clients with ever stronger, more resilient and agile security 
products and services. 

Our clients span every business sector; from government to pharmaceuticals, 
financial to IS P y retail and charity. Extensive experience in the design, 
implementation and support of security and infrastructure solutions allows us 
to meet specific requirements whilst still maintaining the highest levels of 
customer service and technical support. 

Our technical excellence, focus on customer service and flexible approach 
ensures we are ready to be your trusted security advisors. 



Contact us today for expert 
advice and support: 



Phone; +44 (0)1256 397790 

Email: salesffiinfosectechnologies.com 

Website: www.infosectechnofogies.com 
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jscrambler 

' protect your code 



Modern websites, which use Web 2.0 and AJAX, often generate 
HTML and JavaScript code on the fly. This means that standard 
static code analyzers cannot fully scan the source code and locate 
client-side JavaScript issues, since the source code itself does not yet 
include the entire HTML and JavaScript code. 



We used a sample group of 675 websites, 
including all 500 of the Fortune 500 com- 
panies, plus 175 handpicked websites in- 
cluding IT security companies, web application se- 
curity companies, social networking sites and other 
popular websites. "Each application was tested 
for two main client-side JavaScript issues: DOM- 
based Cross-site scripting, and open redirects, a 
vulnerability which allows a malicious attacker to 
force the victim's browser to automatically redirect 
to a site he/she owns, and which can be used for 
Phishing purposes. Our research found that of the 
675 websites analyzed, 98 (14.5 percent) were in- 
fested with DOM-based Cross site scripting and 
open redirects (Figure 1). 1 

1 ftp://public.dhe .ibm.com/common/ssi/ecm/en/rawl4252usen/ 
RAW14252USEN.PDF 



85.5% 



14.5% 



n Vulnerable sites 
Not vulnerable sites 




Here, the question how I can protect JavaScript 
code arises. Web Application has to live with Ja- 
vaScript and it will never be 100% secure. Howev- 
er, there is a known method to protect your JavaS- 
cript: source code obfuscation. There are some 
tools available on market which provide a degree 
of obfuscation which gives you a bit comfort that 
your intellectual property (source code) is protect- 
ed and that it will not be stolen or reused by any- 
one else in the market. 

JScrambler Overview 

JScrambler is a JavaScript obfuscator that per- 
forms all sorts of complex stuff for your code; it 
transforms your code into a human-incomprehen- 

Application Modes 

Select one of the available application modes: 

% Starter Mode ? 
•Si Mobile Compatibility Mode ? 
@ HTML5 Compatibility Mode ? 

Figure 2. Shows the application mode of JScrambler 
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Figure 1. Percentage of sites vulnerable to client-side 
JavaScring issues 



Figure 3. Shows functionality you can use to achive 
transformation from protection point of view 
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sible form, installs all sorts of protection mecha- 
nisms and optimizes the code. Huh - how about 
the functionality of your code? Yeah - it trans- 
forms and protects while maintaining your 
code functionality. 

How JScrambler Protects your Code? 

I would say if you are looking for a solution to op- 
timize and, at the same time, protect your HTML5, 
Mobile, Web Game or a standard JavaScript ap- 
plication; then JScrambler is the product you are 
looking for. 

Figure 2 shows the application modes available 
in JScrambler. 

JScrambler is a customizable tool which provides 
a number of techniques / parameters which you 
can use in your projects to secure your code. What 
stands out in JScrambler is its flexibility and its fo- 



Domam lock 

Description 

Lock down a JavaScript so it only works Tor a list of 
domains you specify. Good for demos and to enforce 
license agreements. 

Input example 



// only myivebsite.com is allowed 
myivebsite.com 

// only mywe bsite.com and www.mywebsite.comi 
are allowed 

mywe bs i te . com ;w\vw. mywe bs i te . com ; 

// myivebsite.com and all its sub-domains are 
allowed 

4 . myivebsite.com 



Figure 4. Domain Lock Example 



cus on code protection. That being said, it manag- 
es also to be one of the best tools for compressing 
your code. It provides a wide set of customizable 
options to achieve different degrees of protection, 
as you can see in Figure 3. 

With JScrambler's source code obfuscation fea- 
tures you can achieve a certain degree of intellec- 
tual property protection by hooking literals, split- 
ting strings into smaller pieces and mixing them 
throughout the code, reordering function calls, or 
by injecting dead code to misguide static code re- 
views. It also provides features to enforce your li- 
cence agreement by allowing you to lock the code 
to a domain list, and/or to make the code expire 
on certain date after which your customer will not 
be able to execute it. Figure 4 - Domain Lock 
Example. 

On top of protection, it has as unique feature a 
proper validation of the code prior to the applica- 
tion of the source code transformations, by detect- 
ing parsing errors just like a normal compiler does. 
It fully supports the latest JavaScript standard Ec- 
maScript-262 v5.1. Figure 5 shows an overview 
of your projects and if parsing errors were detect- 
ed. This can be helpful to the user as it provides 
some guarantees that the script is functional be- 
fore transformation. 

HTML5 obfuscation - The only one of its 
kind 

The HTML5 obfuscation feature of JScrambler is 
right now the only one available on the market. 

You can use JScrambler to hide known calls to the 
browser DOM objects, or HTML5-specific elements 
like Canvas. Figures 6 and 7 show an obfuscat- 
ed HTML5 Canvas example. You can find the code 
available at http://webfensive.com/canvas/. 
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Figure 5. Shows a quick view of parsing errors 
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A canvas mo veto example 




function drawShape ( ) { 

// gpT: the r.nnvptu plpirpnt n fling t.hp DOM 

vai canvas = document . {jetfci ementu via ( ' tutorial 1 } ; 

// Make sure we don't execute when canvas isn't supported 
i f (ranvafl . gpr.fTnnr.Pnt:) { 

// use gctCoDtcxt to uac the canvas for drawing 
var ctK = canvas . get Context ( '2d.' ) ; 

// Draw a napes 
ctx.bcginPath ( ) ; 

ctx. arc (75,75, SO, 0, Math . PI *2 , true) ; // Outer circle 
r.r.-x . raovpTfi {11(1,7$) : 

CEX._arc(75,75,35, D, Mam. PI, raise) ; (f Mouuxi 
ctx . moreTo ( , 65 ) ; 

c:^* . arc (€0,65,5, 0, Math. PI *2 , true) ; // Left eye 
ctx.moveTo{95, 65) : 

CEX.arc(9Q,65,5, 0,Mach.PI*2,true) ; { { Rlgiit eye 

C t- J! . s t r c Ice {} I 

} else f 

alerrij/You need. Safari or Firerox 1.5+- to see tills deir.c . 1 ) ; 



Figure 6. Before Obfuscation 
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[1, 3K2-GBI >-(3.570E2 J 2S,40El) ? ( 1. 149E3, 0 , 1*94) i|145.,0X9F) ) \, I6-Barselnc 1E6/S-6 1 ,ll6-( ( (0*13, 1 . 43E2) 1(0x17, 2 . 52E2 \ 7 [115 .9E1, 1 7569;. : lx55< ( 1. 295E3. 301 ?ft)l9&; 
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E6(U4|j :C6{1.0tiE3,12:i.7£l>3l03.7El:1il.C(ttx2&D,0x72J7{axll3 J lDi{illi : [bi,3b) ) ItfJb) ) : var Wb-lfc. cimE^odcAt \'Jb) :L1 (Kb>- ( (OxZlif, lil. h >-0xEE? (5tfr, "£'"1 : (0x79,83) 

<(19 + 90El,7.71E3)?(0xl6E,3?) : (44, 117) ) ttH6<*( (0x7C, 3 . 0E3> V (1 - 344E3 r 11 0) 7 (fifi. , 1 ?7) : (OxOS,! . 4.1. r .E3) « (0x173, 41 -3E1) 7103 . : (0xfl?,0xDC) ) ) ( Srfi+-H6- (0x1 lf!v £1 ?7,0xl3) 7 
(Dxl>l r 33) : (0X107, gi.)«"$9niw: (139,1. 97E2>) H-jbL^:: !c6} ; : J*- i,24 r - " : ?F' : {IS*. , 11 . ■'.'( 1x139, 10 7 " E ' : 1 . 4 52E 3 >( 22 . 90E 1 , 46) 7 (34 ., 105«9| : |"6. ,3"| ) -ES(06>) ) r- 
KJl.lKia, ■5.51E2I ? U4 . :«E2 i [19, 15) >- (69 . 9E1, 7t3 . I 71.333E3: | 96,74. I<14 . 7114. : | -4 . CE1, 45 .2E1 1 ] ) £var pfi-nS (IS. CfiaElt ( [ [ Bl, 30| <0xlFC? (QxAi\, 3) : [101, 10S.5E1] 

<-4 6?"0-: {It.iEl, ) ) , (9<-(50. ,70.60E1> 7 (3.510E2,!) :135J (90 . 3 DEI, 146. 5E1) 7(0x80, '<*' ) 1 (12 .«iE2, ID .72E2> ) ) I ( (^7 . , 0X243K-112 . ?' 1" : OxSG* (S9, 11 .31E2) ? 
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Figure 7. After Obfuscation 



There's also the possibility of adding an exclu- 
sion attribute to script tags to make JScrambler ig- 
nore code which you don't want it to touch. 

Example: <script src="foo.js" 

jscrambler="ignore"></script> 

By applying the aforementioned techniques, you 
can randomly change the control flow and struc- 
ture of your JavaScript source code and, at the 
same time, maintain its functionality. 

Conclusion 

It is impressively easy and painless to use JScram- 
bler to protect your JavaScript code. JavaScript 



has been gaining a lot of attention as it is used 
in different types of applications such as Mobile, 
HTML5 Canvas and Web Gaming. JScrambler al- 
ready presents packages tailored to protect those 
types of applications and it does a good job. 



jscrambler 

* protect your code 
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